Commit graph

47 commits

Author SHA1 Message Date
Keith Martin
b6687b6c29
Tests: Improve isolation and add fixes #5263
* Tests: fix random selection of deleted record causing test failure
* Tests: fix test folders being left after test
* Tests: ensure that required records are available
* Tests: make each package execute against it's own testdata folder to ensure no interpackage test failures
* Tests: add unit tests of CleanupTestFolder
* Tests:  Allow defer in TestMain
* Tests: rename testMain to runTestMain
2026-07-12 05:47:21 +02:00
Michael Mayer
9d0aca64b8 OIDC: Add configurable authorization prompt option #5698
Add PHOTOPRISM_OIDC_PROMPT (--oidc-prompt) to forward the OpenID Connect
"prompt" parameter (login, select_account, consent) on the authorization
request, so a rejected user can re-authenticate or pick another account
instead of being silently signed in again. Unsupported values (including
"none", which would break interactive login) are dropped with a warning;
empty preserves the seamless-SSO default.
2026-06-27 12:35:04 +00:00
Michael Mayer
80437299da OIDC: Send and validate a nonce on authorization requests #5695 2026-06-25 16:54:29 +02:00
Michael Mayer
11c074cb85 Auth: Delegate cluster OIDC logout to the Portal end-session endpoint #5684
On a cluster-OIDC Sign-Out the instance now delegates the Portal session and the
upstream RP-logout to the Portal's end-session endpoint instead of doing them
itself: revokePeerSessions skips the Portal peer's backend DELETE (still clearing
its storage), and DeleteSession skips clearing the OP session cookie when it
returns a providerLogoutUri — otherwise the Portal OP could not resolve the
session (via that cookie) to chain the upstream logout. onLogout now resolves to
the chosen landing URL so the /logout route guard follows the provider logout URL
too. Adds the oidcLogout client-config accessor and an instance.portal session
marker so the Portal peer is identified explicitly rather than by URL shape.
2026-06-24 15:22:04 +00:00
Michael Mayer
50976f427e Auth: Add RP-initiated OIDC logout via PHOTOPRISM_OIDC_LOGOUT #5684 #5433
Sign-out of an OIDC session redirects the browser to the provider's
discovered end_session_endpoint (id_token_hint + absolute
post_logout_redirect_uri) when PHOTOPRISM_OIDC_LOGOUT is enabled, so the
provider SSO session ends and the next login re-prompts. Opt-in (default
off); local/LDAP logout and providers without an end-session endpoint fall
back to local logout.

Adds the shared CE /api/v1/oauth/logout route and OAuthLogoutHandler hook
plus the Portal OP end_session_endpoint advertised in the Portal discovery
document, for Portal builds to serve via the override hook.
2026-06-24 17:21:00 +02:00
Cathie Integra
3f096a592b Links: Use canonical trailing-slash form for website URLs 2026-06-24 17:20:30 +02:00
Michael Mayer
e308fd7b58 Auth: Land cluster sign-out on the Portal login without return_to 2026-06-12 19:56:44 +00:00
Michael Mayer
d091958a60 Cluster: Collect OIDC groups at login for group-based admission 2026-06-12 16:08:38 +00:00
Michael Mayer
d0d956410c OIDC: Scope the RP state cookie to the instance OIDC base path
The relying-party state and PKCE cookies were left at the zitadel default Path=/, so on a shared-domain proxy (instances served under /i/<tenant>) they reached the callback only if the proxy rewrote the Set-Cookie path. They are now scoped to <base>/api/v1/oidc, covering both the login leg and the redirect callback, so they survive to the callback regardless of any proxy rewrite.
2026-06-09 15:36:35 +00:00
Michael Mayer
7881849b63 Cluster: Redirect cluster-OIDC sign-out to the Portal login
A user who signed in via cluster OIDC now returns to the Portal login (re-auth via OIDC) on sign-out instead of the instance's local form. The /logout route awaits the cluster-wide sign-out so the Portal OP cookie is cleared before the redirect, avoiding a silent re-SSO.
2026-06-09 15:36:24 +00:00
Michael Mayer
7232cc23a4 OIDC: Render a branded page when the RP code exchange fails
The OIDC RP callback handler returned without writing a response when
CodeExchangeUserInfo failed (e.g. a missing/expired state cookie), leaving
the raw zitadel error ("failed to get state: http: named cookie not present")
on screen with no way forward. CodeExchangeUserInfo now runs the exchange
against a recorder so the handler's raw error never reaches the browser, and
the callback renders the branded auth.gohtml page (which returns the user to
login) instead of a dead-end. Set-Cookie headers from a successful exchange
are still propagated.
2026-06-09 13:11:02 +00:00
Ömer Duran
fddab77506
Auth: Apply Portal-granted role on OIDC instance login
Honor the pp_role claim (gated by pp_issuer_kind) over the group mapping so an instance login reflects the role the Portal granted, restricted to federatable roles.
2026-06-05 21:03:36 +02:00
Michael Mayer
d48ef12c99 Auth: Keep OIDC RP state and PKCE cookies Secure on HTTPS
Gate the OIDC relying-party cookie handler's WithUnsecure() on the existing
insecure flag instead of applying it unconditionally, so the round-trip state
(CSRF defense) and PKCE code_verifier cookies retain the Secure attribute on
HTTPS deployments. Addresses audit finding OJW-260603-02 (GO-HTTP-005).
2026-06-03 16:10:39 +00:00
Michael Mayer
6b8ae165fb Auth: Accept EdDSA ID tokens in the OIDC relying party 2026-06-03 17:12:59 +02:00
Michael Mayer
570a563748 Docs: Bump copyright year to 2026 in Go package headers 2026-05-25 14:39:38 +00:00
Michael Mayer
d5ecab8827 Proxy: Define /i/ as DefaultPathPrefix for shared-domain deployments
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-24 01:15:23 +01:00
Michael Mayer
a0070dce1c Cluster: Improve usage of canonical terms in code/docs based on glossary
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-23 16:16:29 +01:00
Michael Mayer
c1467cb3f5 Cluster: Rename the "tenant" node role to "instance" for accuracy
This more accurately reflects the multi-instance architecture.

Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-23 04:27:43 +01:00
Michael Mayer
45bfdf30c3 Docs: Update paths in README.md, AGENT.md, and CODEMAP.md
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-22 15:33:19 +01:00
Michael Mayer
6867626c9a Docs: Shorten "Context & Constraints" to "Constraints"
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-14 08:23:27 +01:00
Michael Mayer
c6c16c5355 OIDC: Update Keycloak client settings in scripts/sql/mariadb-init.sql
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-10 12:34:42 +01:00
Michael Mayer
bf781b9b37 OIDC: Add "Entra App Roles" section to README.md #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-27 15:28:07 +01:00
Michael Mayer
53b21eb5a0 OIDC: Update README.md #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-27 13:16:10 +01:00
Michael Mayer
66599070f1 OIDC: Update README.md #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-27 12:06:48 +01:00
Michael Mayer
6318c3ddc8 OIDC: Update README.md #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-27 12:06:17 +01:00
Michael Mayer
6c50ee0ade OIDC: Merge groups, add inline code docs, and improve README.md #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-27 12:02:57 +01:00
Michael Mayer
9d378f2041 OIDC: Update README.md #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-27 11:52:54 +01:00
Michael Mayer
3d90ab1468 OIDC: Update internal/auth/oidc/README.md #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-23 16:38:53 +01:00
Michael Mayer
cc94683533 OIDC: Update internal/auth/oidc/README.md #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-23 16:33:11 +01:00
Michael Mayer
5f0ade87f5 OIDC: Add support for Microsoft Entra ID security groups #5334
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-23 16:04:25 +01:00
Michael Mayer
73fa8fb86f OIDC: Add internal/auth/oidc/README.md
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-23 15:23:12 +01:00
Michael Mayer
6c50a87632 Auth: Apply "golangci-lint" recommendations #5330
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-21 16:22:42 +01:00
Michael Mayer
cd7fa6adca Logs: Add package pkg/log/status to provide generic outcome constants
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-21 14:42:05 +02:00
Michael Mayer
a921f82a17 Pkg: Move /service/http/... to /http/... and add package /http/dns
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-19 21:08:48 +02:00
Michael Mayer
4bbba226b7 Security: Add a system log for publishing internal warnings and errors
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-07 21:08:04 +02:00
Michael Mayer
838adee3eb Backend: Refactor middleware naming and improve code comments #5235
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-09-30 23:25:53 +02:00
Michael Mayer
6a89519e63 Videos: Refactor codec, content and file type specifications #4770
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-02-05 00:30:45 +01:00
Michael Mayer
01f15fa406 Backend: Update copyright notices
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-01-09 10:28:17 +01:00
graciousgrey
5a1995736d Tests: Add unit tests 2024-07-17 16:35:49 +02:00
graciousgrey
f1f4853190 Tests: Add unit tests #782 2024-07-16 10:34:15 +02:00
Michael Mayer
e87f32fa5c OIDC: Add "address" to the default userinfo request scopes #782
see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-09 06:55:06 +02:00
Michael Mayer
22aa700b1e Config: Refactor initialization of settings and database connection
Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-07 17:00:38 +02:00
Michael Mayer
8db269a742 OIDC: Upgrade "zitadel/oidc" from v2 to v3 #782
Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-06 11:27:03 +02:00
Michael Mayer
c970511c82 OIDC: Upgrade "zitadel/oidc" from v1 to v2 #782
Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-06 11:15:23 +02:00
Michael Mayer
3ecee16848 OIDC: Improve auth api logs and user verification #782
Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-04 10:24:10 +02:00
Michael Mayer
cc920698a2 OIDC: Refactor /internal/auth/oidc package #782
Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-02 14:38:29 +02:00
Michael Mayer
a97f8d0795 API: Implement OIDC redirect endpoint #782
Requires further testing and refinement before it can be released.

Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-01 16:50:53 +02:00